Is CloudFront providing enough DDoS protection to S3 Buckets?

1

Hello,

I have a S3 bucket with images that should be accessible to an email template which will be sent via AWS Pinpoint.

The public access to this S3 bucket is blocked ON. I have created an OAI with CloudFront with which I can access the S3 bucket images on the Pinpoint email template.

In the AWS documentation, I see that AWS provides DDoS protection with AWS Shield. Now, there are two options AWS Shield Standards and AWS Shield Advanced. Standard is free of charge for everybody and it says tht it is by default availale to everybody.

My question is, does the fact that AWS Shield Standard is free and by default used by everybody, mean that I won't get any DDoS attacks by people trying to access the images from the S3 bucket hidden behind CloudFront distribution? Do I need to explicitly do something with AWS Shield Standard of the protection comes by itself?

Thanks you in advance.

2 Answers
1

First, I'm not sure the answer is yes or no, as there are various considerations. According to Amazon if you are distributing from behind CloudFront and Route 53 then Shield standard provides comprehensive coverage on layer 3 and 4 DDoS attacks.

AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. AWS Shield

AWS Shield standard is automatically enabled and included with various AWS services. However, to benefit from that protection you should consider the architecture of your application (which it sounds like you are). The AWS Shield FAQ says:

Q. How many resources can I enable for AWS Shield Standard protection? There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.

I highly recommend reviewing the full Shield documentation or at a minimum the AWS Best Practices for DDoS Resiliency whitepaper documentation.

Finally, Amazon provides additional guidance for making the decision whether you may need Shield Advanced.

AWS
newrust
answered 2 years ago
0

While your bucket may be protected using OAI, you will still be charged for requests that reach the bucket, even if they are blocked (403 response) by OAI. I'm afraid 'security via obscurity' becomes important - make sure that no-one malicious knows the name of your bucket.

Shield Standard is enabled by default however it protects only against L3/4 attacks and not from request flood-type attacks. If someone is making malicious requests towards CloudFront make sure you are caching in CloudFront so that you are not double charged for CloudFront and S3 requests. If malicious requests are causing an increase in CloudFront DTO, consider using CloudFront geo-blocking or AWS WAF with a rate-based rule, however there are additional charges for the latter.

AWS
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions